Healthcare SIG Webinar June 2016 - cdn.ymaws.com€¦ · Healthcare SIG Webinar June 2016 ....
Transcript of Healthcare SIG Webinar June 2016 - cdn.ymaws.com€¦ · Healthcare SIG Webinar June 2016 ....
Healthcare SIG Webinar June 2016
Healthcare Security: Assessing the Third Party Risk
This webinar is generously sponsored by:
Healthcare Security: Assessing Third Party Risk 2
Stephen Fitton
Information Security Officer - Clinicient, Inc.
Karen McMillen, CISSP
Security Analyst - Asante
Andrew Reeder, CISA, CISM, CISSP
Director, Privacy & Security – Rush University Medical
Center
Roy Wattanasin, CSSLP
Information Security Officer – MITM
Healthcare SIG Webinar Contributors
Healthcare Security: Assessing Third Party Risk 3
“A chain is no stronger than its weakest link, and life after all is a chain.” - William James
Healthcare Security: Assessing Third Party Risk 4
Third Party Risk Assessments (TPRA):
Some History
What is a TPRA?
Why So Important Now?
Where and When to Use Them
Examples/Types
How to Manage Them
Who Can Help
Discussion Points
Healthcare Security: Assessing Third Party Risk 5
Evolution of Healthcare Patient Care Model Focus from Acute Care to Continuum of Care
Electronic - Medical Record AND Medical Devices
Evidenced Based: Metrics and “Big Data” management
Individuals Rights: Use, Disclosure, and Access to Their Data
Associated Evolution of HIT model Wide Scope of Data Sharing - The data “supply chain”
Networked Medical Systems – and life- supporting medical devices
Very Large Stores of Sensitive Data
Emphasis on Privacy and Security
And HIT must Follow the Evolution of Global IT Commoditized - BYOD
Online, Collaborative – Outsourcing and Cloud Technology
Mobile – eMR on your iPhone
Virtualized – Telemedicine and “virtual hospitals”
Some Relevant History
Healthcare Security: Assessing Third Party Risk 6
For our purposes, a “third party” is an outside
entity with access or controls to Enterprise
systems and/or data and may provide a service
to an organization.
Examples include:
Business Associates AND other entities which provide
functions or activities for the organization
Business Partners
Contractors
Vendors
Cloud Services
Other Managed Service Providers (e.g., transcription services)
What is a “Third Party”?
Healthcare Security: Assessing Third Party Risk 7
A documented assessment of a third party’s
information security risk profile
Derived from one or more of the following: Security control documentation/checklists
Standardized Information Gathering (SIG)
Facility walkthrough Verification E.g. Contract Agreed Upon Procedures (AUP)
Staff Interviews
Security Testing website and system scan results
System configuration and log reports
External Audit Reports (SSAE 16, etc.)
What is a Third Party Risk
Assessment (TPRA)?
Third Party Risk 8
Regulatory Requirement - Risk Assessments OCR will investigate and can penalize cases of “willful Neglect”
Stakes are High 70% of reported breaches are from Business Associates
Patient dependence on systems - loss of availability risk
Increased Use and Dependency Upon TPs Cloud Migration and outsourcing
Response to paradigm shift: Infrastructure security model vs. data-centric security model
Business Associate agreements is usually not
specific enough for litigation A signed BAA does not protect Covered Entities and Business
Associates from liability.
BOTTOM LINE: TPRAs must be a key element of any
Security Program.
Why are TPRAs Important?
Healthcare Security: Assessing Third Party Risk 9
HIPAA Security Rule - Includes requirements for Administrative,
Technical, and Physical safeguards which are either Required or Addressable The conduct of a Risk Assessment is required and found under the Administrative Standards of “Security Management Process” (CFR 164.308 (a)(1)(i)) and “Evaluation” (CFR 164.308(a)(8))
HITECH Act/Omnibus Rule –Includes Privacy and Security Rule
compliance requirements for Business Associates contracted by a Covered Entity“ Meaningful Use” is the incentive program established under the American Recovery and
Reinvestment Act of 2009 and promotes the adoption of electronic health record technology Includes a requirement for the conduct of a Security Risk Analysis and to correct security deficiencies (CFR 164.308(1)(ii)(A)
Federal and State requirements - Typically don’t define HOW to conduct an
risk assessment; only that one be accomplished. A TPRA can be considered a best practice and should be part of ongoing risk assessment activities
Checking for the existence of Security Risk Assessment efforts is included in the audit program of the Office for Civil Rights
Regulatory Considerations
Healthcare Security: Assessing Third Party Risk 10
PCI 3.0 12.8.2 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. ISO Required for ISO 27001 Information Security Certification NIST SP 800-39 Managing Information Security Risk A key component of NIST compliance
Also – Industry Requirements Examples:
Healthcare Security: Assessing Third Party Risk 11
Lack of Consistent or Standard Templates,
Content & Methodology
Different Vulnerability and Control Types
According to Object of Review
Application – company hosted
Cloud Services - SaaS, PaaS and IaaS
Cloud Security Alliance - Cloud Control Matrix (CCM)
Medical Devices - MDS2
Manufacturer Disclosure Statement Medical Device Security form
Healthcare Services – e.g., Transcription Services
Mobile Device Controls
SSAE 16 and other third party risk assessments
The TPRA Conundrum
Healthcare Security: Assessing Third Party Risk 12
TPRA Support & Tools You Don’t Have to Create Your Own!
13
Well Known Framework Controls & Questionnaires: NIST, HITRUST, ISO, PCI
Shared Assessment Program (est. 2005): Standardized and objective vendor assessment methodology Member input and annual review of tools
International Computer Alliance Security (ISAC): In response to 1998 UK Data Protection Act (DPA). Categories of assessment according to third party type/size
CIS – Center for Information Security “Benchmarks” Platform specific security control baseline recommendations
GOOGLE – Scalable Vendor Security Reviews: VSAQ Framework
Vendor Shared Assessment Programs – Industry-specific offerings
Healthcare Security: Assessing Third Party Risk
TPRA Example 1 Cloud Security Alliance Cloud Controls Matrix
14
TPRA Example 2 Medical Device
15
TPRA Example 3 SharedAsessments.com - SIG
16 Healthcare Security: Assessing Third Party Risk
TPRA Example 4 Website Scan
17 Healthcare Security: Assessing Third Party Risk
Know where Your Third Parties Are Begin with your Contracts & Purchasing Departments
Network Scans help locate non-inventoried vendor systems
Begin with Education Executive
Enterprise Policies & Procedures
Targeted Departments (e.g., Purchasing, Legal, PMO)
Create Appropriate Business Processes/Work
Flows Capital Purchase Request notification to IT Security
Clinician Education of vendor security requirements
Develop or Purchase Tools Assessment templates (surveys, checklists)
GRC database/reporting
Obtain Sufficient Staffing to Support TPRA Part of Management Education Process
Vendor Support Becoming Available
Managing the TPRA Process
Healthcare Security: Assessing Third Party Risk 18
The Vendor Risk Management Maturity
Model (VRMMM)
• Three Components:
Program Definition, Execution and Management
• Five Levels of Proficiency/Maturity
• Provides a Good Roadmap for Improvement
• Provides a Good Management Reporting Tool
And what is your VRMMM rating?
Healthcare Security: Assessing Third Party Risk 19
Remember that all data has a lifecycle
Address destruction or return of data from Business Associates after the
contract ends
Ask your Business Associates how they perform
due diligence on securing THEIR Business Associates as well
“…an upstream entity will be in violation of the regulations if it “knows”’ of “a pattern of activity or practice” which “constitutes a material breach or violation” of the Business Associate Contract, and fails to either take “reasonable steps to cure the breach,” or terminates the contract. “
© 2013 John R. Christianson and the American Bar Association, The HITECH Business Associate Contract Bible: Provisions for Covered Entities, Business Associates and SubContractors,
Ask your Legal Department how your vendor contracts
address security requirements beyond the BA – e.g, is the contract void
if the vendor does not fulfill its security agreement?
Cyber Insurance Do your Executives expect cyber
Insurance to cover third party breaches? Will it?
Other Points to Consider
Healthcare Security: Assessing Third Party Risk 20
TPRA have become a key element of any Information
Security Program Lack of a TPRA program = risk
TPRA have grown out of the changes in Healthcare
Model, HIT and global IT trends.
TPRA are required for HIPAA compliance
TPRA management requires management education
and the development of internal and external business
process
TPRA best practices and standards are still evolving
Industry Support and third party security management
niche vendors are developing – but growing!
Pay Attention to What’s Going On. It’s important.
Summary
Healthcare Security: Assessing Third Party Risk 21
Healthcare Security: Assessing Third Party Risk 22
Guest Speaker & Panelist
Prevalent is a leader and industry visionary in third-party risk management and threat intelligence monitoring. They
have revolutionized the way organizations manage and monitor their 3rd and 4th party vendor relationships and they
recently introduced Prevalent Synapse – the first Unified third-party risk assessment, threat monitoring and
collaboration platform.
Jonathan is the CEO and Co-Founder of Prevalent. He has spoken on the need for third-party risk management at
the leading industry events including RSA, Shared Assessments Summit, ISACA, ISSA, Infragard, NYSE, and
others. Jonathan also helped develop the Risk Assessment Body of Knowledge (RABOK) as part of the development
of Shared Assessments efforts to develop the first of its kind certification for third-party risk professionals (CTPRP).
Jonathan is currently the Chair of the Shared Assessments Steering Committee, Former Chair of the Shared
Assessments SIG Committee, and sits on the Penn State Outreach Advisory Board.
Prior to working in the technology industry, Jonathan launched a highly successful, consumer products company
where he won several collegiate entrepreneurial awards. Jonathan is a graduate of Fairleigh Dickinson University,
received his MBA from The Pennsylvania State University, is a Certified Third-Party Risk Professional (CTPRP), and
a Certified Information Systems Security Professional (CISSP).
Jonathan Dambrot, CEO/Co-Founder Prevalent, Inc.
2016 Poneman Study - 3rd Party Risk Landscape
Healthcare Security: Assessing Third Party Risk 23
56% of respondents say they do NOT know
what IP and other high value "crown jewels" are in the hands of third parties
26% Only 26% of respondents say the process
they use to assess third party risk is effective.
56%
Poneman Institute. Tone at the Top and Third-Party Risk. April 2016
75% of respondents consider 3rd Party Risk
serious & increasing, while 70% say that 3rd Party Risk is
SIGNIFICANTLY INCREASING
A Unified Platform
Healthcare Security: Assessing Third Party Risk 24
The Synapse Approach
Healthcare Security: Assessing Third Party Risk 25
• Current methods focus on a one-to-one relationship model
• Synapse approach focuses on scale, automation, and leveraged content to build a third-party assessment ecosystem that continuously grows
Synapse Architecture
Healthcare Security: Assessing Third Party Risk 26
Synapse Use Cases
Healthcare Security: Assessing Third Party Risk 27
Enterprise Networks
• Example: PayPal - automate processes, reduce costs & scale to a large number of global vendors using the Synapse approach
Vertical Networks
• Example: Legal Vendor Network - top global law firms have standardized assessment & continuous monitoring using the Synapse approach
Service Provider Networks
• Example: Ellie Mae – enabling Ellie Mae vendors and partners to provide third and fourth-party visibility to clients
Vertical Network Example Healthcare network coming soon!
Healthcare Security: Assessing Third Party Risk 28
• What is Legal Vendor Network? • A membership-based program designed for law firms to
assess and monitor 3rd party vendors for security and data risk
• What are the Benefits? • Vendor Repository in Prevalent’s Vendor Risk Manager
• Scaled to assess vendors of all sizes; 2 person to 100,000 person vendors
• Mechanism to determine whether other firms use vendor
• Pre-Assessment to determine vendor importance and leveling
• Threat intelligence and network sharing available to all members
Service Provider Network: Ellie Mae
Healthcare Security: Assessing Third Party Risk 29
PANEL Q & A
Title of Presentation Goes Here 30